Cyberthreat analysis and intelligence

Industry Innovators 2016: Cyberthreat analysis and intelligence

Cyberthreat analysis and intelligence has become a staple of next-generation security tools. However, as a group by itself it contains some of our most noteworthy Innovators. In fact, it is not uncommon for these tools to provide the threat feeds that drive tools that incorporate threat intelligence in their products. Over the past two or three years as these tools have evolved we find that they are coalescing into a couple of types.

First, there are what we call the bits and bytes tools. These pass digital data in a more or less structured format. An example of these tools would be products that analyze malware using next-generation techniques and then pass those data to other tools to be incorporated into their analysis along with other threat feeds.

The second type usually is more unstructured in its data types. In reality, it is usually a mix with both structured and unstructured data. However, its value comes from its content, which almost always is predominantly unstructured. These data come from a variety of sources that fit into two major categories: open and closed source. Two of our Innovators in this section include one of each – open and closed source.

The methods for collecting data range from screen scraping – the main source for open source – and human intelligence – humint – which requires boots on the ground in the underground forums. This is the main source for closed source data. As one of our Innovators explained, for open source it's all about the data, but for closed source it's all about the access.

The bits and bytes folks pretty much all have APIs that allow connection directly into their analysis engines. One of the more popular uses for this is Maltego, an internet link analyzer that is free for the community edition and commercial for corporate use. These APIs allow Maltego to incorporate the source's data in its analysis. Interestingly, there also are APIs for the two free-form tools which we assessed this year. And, not surprisingly, they both can feed Maltego – among many other analysis tools.

Intel 471

Intel 471 is an actor-centric cyberthreat intelligence collection capability. We are headquartered in the USA. They are focused on closed source intelligence collection of financially motivated cybercriminals and hacktivists. They have teams across the globe who are on the ground in Eastern Europe, Asia and Latin America. Although some companies offer raw indicators or feeds as threat intelligence (“bits and bytes”), in order to shine a light on the adversary's business process Intel 471 focuses on the individual threat actors and groups that pose a threat to the target organization and sector.

Intel 471 provides proactive visibility into threat actors and their TTPs (tactics, techniques and procedures), planning, marketplaces and communication networks. The tool is delivered through an online portal that provides information reports, full text searching, alerting, monitoring actors across forums/marketplaces and social network analysis. The format is one consistent with and familiar to intelligence professionals.

There also is an API that allows automated queries by alias/handle, IP address, email address, etc., that can be fed to third -party threat intelligence platform integrations, including Maltego.

The top use case for Intel 471's intelligence collection is supporting threat intelligence teams with intelligence collection and data in order to support the creation of timely and relevant finished intelligence products for your organization.

The Intel 471 platform is solid. The idea is to make the platform the de facto tool for actor-centric threat intelligence. Over the past year this Innovator has added alerting, grouping and increased searchability. This gives users a window into the network underground without needing to go into the dark web themselves.

Going forward and ever innovating, the company is adding mass human translations from Russian. One can't rely on machine translation because of slang. Clients can make specific requests, but then the translation is retained so it's search once and distribute many. The translation team will begin tagging content and putting into groups. Expanding tagging goes beyond just reports.

One creative innovation is that Intel 471 is an intelligence company by intelligence people and that drives how they hire. They are beginning to do integration with other companies/platforms, etc. One of their secrets of success is overcoming barriers to entry. They see that as a differentiator. They have an intelligence-driven model. Essentially, this Innovator has taken a government-style intel operation and made it commercial.

Silobreaker is an open source intelligence service that helps security and intelligence professionals derive context from the overwhelming amount of data on the web. By providing powerful tools and visualizations that analyze data from hundreds of thousands of open sources, Silobreaker enables monitoring and investigating threats, compromises, actors, instabilities, geopolitical developments or any other topic, incident or event. Analysts save time by working more efficiently through large data-sets and improve their expertise, knowledge and decision-making by examining and interpreting the data more easily.

We have been using Silobreaker in SC Labs for some time and the biggest benefit we see is context. We are able to spin up – in about five minutes – a dashboard that can perform, on an ongoing basis, searches at many levels of depth. In addition, the actual content returned by the searches is good, but not as good as the tool's visualization capabilities. There are a number ways that one can visualize the collected data. So, in addition to developing a sense of context from the raw data, there are several ways to visualize the relationships between actors, organizations and events called out in the raw data scraped from news sources, social media, reports and other sources.

For example, if we looked for information on the 2016 election we would get all of the stories, tweets, Facebook postings and analysis and we also would get the relationships of all of the people involved in the election – to the election itself and to each other. We could view them as a network of interconnected links, a heat list that shows what is trending at the moment on the internet, or any of several other formats. If we use Maltego (which we do), we can apply the Silobreaker API and add the power of that link analyzer and all of the other tools for which it accepts APIs.

Recently, this Innovator added such new topics as actors, malware, email domain vulnerability and expanded social media sites. They also have added Pastebin expanded import. However, they also have refined their filters here because Pastebin is very big and has pastes of all kinds. Now analysts can download data in CSV format for additional processing. In addition to its current languages, Silobreaker has added Italian and users can get the assistance of a Silobreaker analyst provided by the Response service – sort of, as their website puts it, “an analyst for hire” when you need some additional expert help.

Uplevel Security is a two-year-old company. There is plenty of noise in the market so they take a creative approach. When they looked at threat intelligence from a strategic level they kept coming back to response. When you take a data scientist and an IT expert and tell them to go start a threat intelligence company you end up with proactive analysis using graph theory and machine learning. The next task was to infuse threat intelligence into every phase of investigation and response, especially response. So they built on top some basic elements they saw as missing.

That started with a case management system. It is structured so the data became available going forward. Threat intelligence is housed within the same system as the response system so as to have threat intelligence management. From the start Uplevel was able to automate some repetitive processes using workflow orchestration. This allows users to identify malicious activity. Then they built an analytical engine on top of the case management system. The analytical engine builds a graph that represents all historical information and provides a context between the elements. Alerts are transformed into a mini-graph and merged into the overall graph to see historical associations. This allows the fusing of an organization's event data with the threat intelligence. That lets users run alerts over current activity and over historical data.

Uplevel has focused on the technology so as not to be a “me-too” vendor in this market space. They know of no organization that really is happy with their ticketing system, so, clearly case management is very important to customers and that became its core building block. Case management is difficult when the analysis becomes complicated, especially when it involves multiple analysts. It is more important, however, when performing incident response.

The Incident Response Platform enables enterprise security teams to improve operational efficiency and respond to cyberattacks faster and more accurately by automating critical response processes. Uplevel focuses on how security teams actually operate and provides automation where it is needed most – the ingestion and dissection of threat intelligence and attack data, the surfacing of relationships across attacks, the handling of established workflows and the identification of repetitive workflows for suggested automation.

Both cloud and on-premises (AMI, VM) deployment options are available.

Click here to read Industry Innovators 2016: Analysis and testing